Merge pull request #442 from posit-dev/feature/fork-safe-pr-workflow

bschwedler · web-flow · commit 1415b203cdaf · 2026-04-10T15:51:45.000-05:00
Add fork-safe PR build workflow
diff --git a/.github/workflows/bakery-build-pr.yml b/.github/workflows/bakery-build-pr.yml
@@ -0,0 +1,214 @@
+# Fork-safe PR build workflow for Posit container images.
+#
+# Unlike bakery-build-native.yml this workflow never pushes images.
+# Fork PRs get a read-only GITHUB_TOKEN with no access to repo secrets,
+# so registry logins and caching are conditional on the PR source.
+#
+# Security policy: No ${{ }} expressions in `run:` blocks.
+# All expression values are assigned to `env:` and referenced as
+# shell variables. This prevents script injection from runtime values
+# (matrix outputs, secrets) and keeps the rule enforceable by zizmor
+# without per-expression exceptions.
+
+name: Bakery PR Build
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        description: "Bakery version to install"
+        default: "main"
+        required: false
+        type: string
+      context:
+        description: "Path to the bakery context"
+        default: "."
+        required: false
+        type: string
+      dev-versions:
+        description: "Whether to include development versions [default: exclude]"
+        default: "exclude"
+        required: false
+        type: string
+      matrix-versions:
+        description: "Whether to include matrix versions [default: exclude]"
+        default: "exclude"
+        required: false
+        type: string
+      retry:
+        description: "Number of times to retry a failed build"
+        default: 1
+        required: false
+        type: number
+      amd64-builder:
+        description: "Runner label for amd64 builds"
+        default: "ubuntu-latest-4x"
+        required: false
+        type: string
+      arm64-builder:
+        description: "Runner label for arm64 builds"
+        default: "ubuntu-24.04-arm64-4-core"
+        required: false
+        type: string
+    # NO secrets section — only inherited GITHUB_TOKEN
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  detect:
+    name: Detect Fork
+    runs-on: ubuntu-latest
+    permissions: {}
+    outputs:
+      is-fork: ${{ steps.check.outputs.is-fork }}
+    steps:
+      - name: Check fork status
+        id: check
+        env:
+          IS_FORK: ${{ github.event.pull_request.head.repo.fork == true }}
+        run: echo "is-fork=$IS_FORK" >> "$GITHUB_OUTPUT"
+
+  matrix:
+    name: Image Matrix
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      platform-matrix: ${{ steps.images-by-platform.outputs.platform_matrix }}
+      versions-matrix: ${{ steps.images-by-version.outputs.versions_matrix }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install
+        uses: "posit-dev/images-shared/setup-bakery@main"
+        with:
+          version: ${{ inputs.version }}
+
+      - name: Images by Version/Platform
+        id: images-by-platform
+        env:
+          DEV_VERSIONS: ${{ inputs.dev-versions }}
+          MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
+          BAKERY_CONTEXT: ${{ inputs.context }}
+        run: |
+          echo "platform_matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" --context "$BAKERY_CONTEXT" | jq --compact-output .)" >> "$GITHUB_OUTPUT"
+
+      - name: Images by Version
+        id: images-by-version
+        env:
+          DEV_VERSIONS: ${{ inputs.dev-versions }}
+          MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
+          BAKERY_CONTEXT: ${{ inputs.context }}
+        run: |
+          echo "versions_matrix=$(bakery ci matrix --quiet --dev-versions "$DEV_VERSIONS" --matrix-versions "$MATRIX_VERSIONS" --exclude platform --context "$BAKERY_CONTEXT" | jq --compact-output .)" >> "$GITHUB_OUTPUT"
+
+  build-test:
+    name: "Build/Test ${{ matrix.img.image }}:${{ matrix.img.version }} (${{ matrix.img.platform }})"
+    needs:
+      - detect
+      - matrix
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        img: ${{ fromJson(needs.matrix.outputs.platform-matrix) }}
+    runs-on: ${{ matrix.img.platform == 'linux/arm64' && inputs.arm64-builder || inputs.amd64-builder }}
+    # Skip arm64 for fork PRs — paid runners may not be available
+    if: needs.detect.outputs.is-fork != 'true' || matrix.img.platform != 'linux/arm64'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup bakery
+        uses: "posit-dev/images-shared/setup-bakery@main"
+        with:
+          version: ${{ inputs.version }}
+
+      - name: Setup goss
+        uses: "posit-dev/images-shared/setup-goss@main"
+
+      - name: Set up Docker
+        uses: docker/setup-docker-action@v5
+        with:
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
+      - name: Setup docker buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Setup ORAS CLI
+        uses: oras-project/setup-oras@v1
+
+      - name: Login to GitHub Container Registry
+        if: needs.detect.outputs.is-fork != 'true'
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Normalize platform
+        id: normalize-platform
+        env:
+          BUILD_PLATFORM: ${{ matrix.img.platform }}
+        run: |
+          PLATFORM=${BUILD_PLATFORM#linux/}
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+
+      - name: Build
+        env:
+          IS_FORK: ${{ needs.detect.outputs.is-fork }}
+          GIT_SHA: ${{ github.sha }}
+          RETRY: ${{ inputs.retry }}
+          IMAGE_NAME: ${{ matrix.img.image }}
+          IMAGE_VERSION: ${{ matrix.img.version }}
+          IMAGE_PLATFORM: ${{ matrix.img.platform }}
+          DEV_VERSIONS: ${{ inputs.dev-versions }}
+          MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
+          BAKERY_CONTEXT: ${{ inputs.context }}
+          REGISTRY_OWNER: ${{ github.repository_owner }}
+        run: |
+          CACHE_FLAGS=""
+          if [ "$IS_FORK" != "true" ]; then
+            CACHE_FLAGS="--cache-registry ghcr.io/${REGISTRY_OWNER}"
+          fi
+          bakery build \
+            --strategy build --pull --load \
+            --retry "$RETRY" \
+            --image-name "^${IMAGE_NAME}$" \
+            --image-version "$IMAGE_VERSION" \
+            --image-platform "$IMAGE_PLATFORM" \
+            --dev-versions "$DEV_VERSIONS" \
+            --matrix-versions "$MATRIX_VERSIONS" \
+            $CACHE_FLAGS \
+            --context "$BAKERY_CONTEXT"
+
+      - name: Test
+        env:
+          IMAGE_NAME: ${{ matrix.img.image }}
+          IMAGE_VERSION: ${{ matrix.img.version }}
+          IMAGE_PLATFORM: ${{ matrix.img.platform }}
+          DEV_VERSIONS: ${{ inputs.dev-versions }}
+          MATRIX_VERSIONS: ${{ inputs.matrix-versions }}
+          BAKERY_CONTEXT: ${{ inputs.context }}
+        run: |
+          GOSS_PATH=${GITHUB_WORKSPACE}/tools/goss \
+          DGOSS_PATH=${GITHUB_WORKSPACE}/tools/dgoss \
+          bakery run dgoss \
+            --image-name "^${IMAGE_NAME}$" \
+            --image-version "$IMAGE_VERSION" \
+            --image-platform "$IMAGE_PLATFORM" \
+            --dev-versions "$DEV_VERSIONS" \
+            --matrix-versions "$MATRIX_VERSIONS" \
+            --context "$BAKERY_CONTEXT"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,11 +28,13 @@ jobs:
       - test
       - bakery
       - bakery-native
+      - bakery-pr
       - release
 
     steps:
       - uses: re-actors/alls-green@release/v1
         with:
+          allowed-skips: bakery-pr
           jobs: ${{ toJSON(needs) }}
 
   test:
@@ -141,6 +143,21 @@ jobs:
       context: "./posit-bakery/test/resources/multiplatform/"
       dev-versions: include
 
+  bakery-pr:
+    name: Bakery PR Build
+    if: github.event_name == 'pull_request'
+    permissions:
+      contents: read
+      packages: write
+
+    uses: "./.github/workflows/bakery-build-pr.yml"
+    with:
+      # Don't pass version — default "main" is correct here. The head_ref
+      # pattern used by other jobs breaks on fork PRs because the fork's
+      # branch doesn't exist in posit-dev/images-shared.
+      context: "./posit-bakery/test/resources/multiplatform/"
+      dev-versions: include
+
   with-macros-clean-caches:
     name: Clean Caches (with-macros suite)
     permissions:
